From 213021de0aaf5439db7d58ca1447db4ae6af92be Mon Sep 17 00:00:00 2001 From: davidovski Date: Sat, 7 May 2022 13:50:28 +0100 Subject: added tor and xss-lock --- repo/devel/libunwind/libcxx-musl.patch | 28 +++++ repo/devel/libunwind/libunwind-link-libssp.patch | 20 ++++ repo/devel/libunwind/libunwind.xibuild | 48 +++++++++ repo/devel/libunwind/toolchain-libunwind.xibuild | 0 .../linux-headers/toolchain-linux-headers.xibuild | 0 repo/system/libcxx/toolchain-libcxx.xibuild | 0 repo/system/musl/toolchain-musl.xibuild | 15 +++ repo/util/pdfgrep/pdfgrep.xibuild | 23 ++++ .../tor/0002-disable-wildcard-escaping-test_patch | 25 +++++ .../0003-disable-sandbox_chown_filename-test_patch | 36 +++++++ .../util/tor/0004-disable-more-sandbox-tests_patch | 120 +++++++++++++++++++++ repo/util/tor/tor.confd | 13 +++ repo/util/tor/tor.initd | 92 ++++++++++++++++ repo/util/tor/tor.xibuild | 44 ++++++++ repo/util/tor/torrc.sample.patch | 27 +++++ repo/x11/xss-lock/xss-lock.xibuild | 23 ++++ 16 files changed, 514 insertions(+) create mode 100644 repo/devel/libunwind/libcxx-musl.patch create mode 100644 repo/devel/libunwind/libunwind-link-libssp.patch create mode 100644 repo/devel/libunwind/libunwind.xibuild create mode 100644 repo/devel/libunwind/toolchain-libunwind.xibuild create mode 100644 repo/linux/linux-headers/toolchain-linux-headers.xibuild create mode 100644 repo/system/libcxx/toolchain-libcxx.xibuild create mode 100644 repo/system/musl/toolchain-musl.xibuild create mode 100644 repo/util/pdfgrep/pdfgrep.xibuild create mode 100644 repo/util/tor/0002-disable-wildcard-escaping-test_patch create mode 100644 repo/util/tor/0003-disable-sandbox_chown_filename-test_patch create mode 100644 repo/util/tor/0004-disable-more-sandbox-tests_patch create mode 100644 repo/util/tor/tor.confd create mode 100644 repo/util/tor/tor.initd create mode 100644 repo/util/tor/tor.xibuild create mode 100644 repo/util/tor/torrc.sample.patch create mode 100644 repo/x11/xss-lock/xss-lock.xibuild (limited to 'repo') diff --git a/repo/devel/libunwind/libcxx-musl.patch b/repo/devel/libunwind/libcxx-musl.patch new file mode 100644 index 0000000..358d4a3 --- /dev/null +++ b/repo/devel/libunwind/libcxx-musl.patch @@ -0,0 +1,28 @@ +Patch-Source: https://github.com/void-linux/void-packages/blob/74f16232621ca8dfb6d244beff1df35a6df1647f/srcpkgs/llvm12/patches/libcxx-musl.patch + +--- a/libcxx/include/locale ++++ b/libcxx/include/locale +@@ -742,7 +742,11 @@ __num_get_signed_integral(const char* __a, const char* __a_end, + typename remove_reference::type __save_errno = errno; + errno = 0; + char *__p2; ++#if defined(__linux__) && !defined(__GLIBC__) ++ long long __ll = strtoll(__a, &__p2, __base); ++#else + long long __ll = strtoll_l(__a, &__p2, __base, _LIBCPP_GET_C_LOCALE); ++#endif + typename remove_reference::type __current_errno = errno; + if (__current_errno == 0) + errno = __save_errno; +@@ -782,7 +786,11 @@ __num_get_unsigned_integral(const char* __a, const char* __a_end, + typename remove_reference::type __save_errno = errno; + errno = 0; + char *__p2; ++#if defined(__linux__) && !defined(__GLIBC__) ++ unsigned long long __ll = strtoull(__a, &__p2, __base); ++#else + unsigned long long __ll = strtoull_l(__a, &__p2, __base, _LIBCPP_GET_C_LOCALE); ++#endif + typename remove_reference::type __current_errno = errno; + if (__current_errno == 0) + errno = __save_errno; diff --git a/repo/devel/libunwind/libunwind-link-libssp.patch b/repo/devel/libunwind/libunwind-link-libssp.patch new file mode 100644 index 0000000..ae819fe --- /dev/null +++ b/repo/devel/libunwind/libunwind-link-libssp.patch @@ -0,0 +1,20 @@ +--- a/libunwind/src/CMakeLists.txt ++++ b/libunwind/src/CMakeLists.txt +@@ -129,7 +129,7 @@ + else() + target_compile_options(unwind_shared PRIVATE -fno-rtti) + endif() +- target_link_libraries(unwind_shared PRIVATE ${LIBUNWIND_LIBRARIES}) ++ target_link_libraries(unwind_shared PRIVATE ${LIBUNWIND_LIBRARIES} -lssp_nonshared) + set_target_properties(unwind_shared + PROPERTIES + CXX_EXTENSIONS OFF +@@ -157,7 +157,7 @@ + else() + target_compile_options(unwind_static PRIVATE -fno-rtti) + endif() +- target_link_libraries(unwind_static PRIVATE ${LIBUNWIND_LIBRARIES}) ++ target_link_libraries(unwind_static PRIVATE ${LIBUNWIND_LIBRARIES} -lssp_nonshared) + set_target_properties(unwind_static + PROPERTIES + CXX_EXTENSIONS OFF diff --git a/repo/devel/libunwind/libunwind.xibuild b/repo/devel/libunwind/libunwind.xibuild new file mode 100644 index 0000000..067a91d --- /dev/null +++ b/repo/devel/libunwind/libunwind.xibuild @@ -0,0 +1,48 @@ +#!/bin/sh + +NAME="libunwind" +DESC="LLVM version of libunwind library" + +MAKEDEPS="cmake " +DEPS="musl " + +PKG_VER=13.0.0 +SOURCE="https://github.com/llvm/llvm-project/releases/download/llvmorg-$PKG_VER/libunwind-$PKG_VER.src.tar.xz" + +ADDITIONAL=" + https://github.com/llvm/llvm-project/releases/download/llvmorg-$PKG_VER/llvm-$PKG_VER.src.tar.xz + https://github.com/llvm/llvm-project/releases/download/llvmorg-$PKG_VER/libcxx-$PKG_VER.src.tar.xz + libunwind-link-libssp.patch + libcxx-musl.patch +" + +prepare () { + tar xvf libunwind-$PKG_VER.src.tar.xz + tar xvf llvm-$PKG_VER.src.tar.xz + tar xvf libcxx-$PKG_VER.src.tar.xz + mv libunwind-$PKG_VER.src libunwind + mv llvm-$PKG_VER.src llvm + mv libcxx-$PKG_VER.src libcxx + + apply_patches +} + +build () { + cmake -B build -G Ninja -S libunwind \ + -DCMAKE_BUILD_TYPE=MinSizeRel \ + -DCMAKE_C_FLAGS_MINSIZEREL_INIT="$CFLAGS" \ + -DCMAKE_CXX_FLAGS_MINSIZEREL_INIT="$CXXFLAGS" \ + -DCMAKE_EXE_LINKER_FLAGS_MINSIZEREL_INIT="$LDFLAGS" \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DLIBUNWIND_HAS_NODEFAULTLIBS_FLAG=OFF \ + -DLIBUNWIND_STANDALONE_BUILD=ON + cmake --build build +} + +package () { + DESTDIR="$PKG_DEST" cmake --install build + mkdir -p "$PKG_DEST"/usr/include/mach-o + cp libunwind/include/*.h "$PKG_DEST"/usr/include/ + cp libunwind/include/mach-o/*.h "$PKG_DEST"/usr/include/mach-o/ + +} diff --git a/repo/devel/libunwind/toolchain-libunwind.xibuild b/repo/devel/libunwind/toolchain-libunwind.xibuild new file mode 100644 index 0000000..e69de29 diff --git a/repo/linux/linux-headers/toolchain-linux-headers.xibuild b/repo/linux/linux-headers/toolchain-linux-headers.xibuild new file mode 100644 index 0000000..e69de29 diff --git a/repo/system/libcxx/toolchain-libcxx.xibuild b/repo/system/libcxx/toolchain-libcxx.xibuild new file mode 100644 index 0000000..e69de29 diff --git a/repo/system/musl/toolchain-musl.xibuild b/repo/system/musl/toolchain-musl.xibuild new file mode 100644 index 0000000..ed46c6e --- /dev/null +++ b/repo/system/musl/toolchain-musl.xibuild @@ -0,0 +1,15 @@ +#!/bin/sh + +DESC="$DESC - for xibuild toolchain" + +build () { + export CXX=clang++ + export CC=clang + + CC=$CC CXX=$CXX ./configure --prefix=/ + make +} + +package () { + make install DESTDIR=$PKG_DEST +} diff --git a/repo/util/pdfgrep/pdfgrep.xibuild b/repo/util/pdfgrep/pdfgrep.xibuild new file mode 100644 index 0000000..d4f5362 --- /dev/null +++ b/repo/util/pdfgrep/pdfgrep.xibuild @@ -0,0 +1,23 @@ +#!/bin/sh + +NAME="pdfgrep" +DESC="Commandline utility to search text in PDF files" + +MAKEDEPS="make " +DEPS="musl pcre poppler " + +PKG_VER=2.1.2 +SOURCE="https://pdfgrep.org/download/pdfgrep-$PKG_VER.tar.gz" + +build () { + ./configure \ + --prefix=/usr \ + --bindir=/usr/bin \ + --sysconfdir=/etc \ + --disable-static + make +} + +package () { + make DESTDIR=$PKG_DEST install +} diff --git a/repo/util/tor/0002-disable-wildcard-escaping-test_patch b/repo/util/tor/0002-disable-wildcard-escaping-test_patch new file mode 100644 index 0000000..ee4f280 --- /dev/null +++ b/repo/util/tor/0002-disable-wildcard-escaping-test_patch @@ -0,0 +1,25 @@ +This will only fail on aarch64 and s390x, for some reason. +--- a/src/test/test_util.c ++++ b/src/test/test_util.c +@@ -4633,21 +4633,6 @@ test_util_glob(void *ptr) + TEST("file1"PATH_SEPARATOR"*"); + EXPECT_EMPTY(); + +-#ifndef _WIN32 +- // test wildcard escaping +- TEST("\\*"); +- EXPECT_EMPTY(); +- +- if (getuid() != 0) { +- // test forbidden directory, if we're not root. +- // (Root will be able to see this directory anyway.) +- tor_asprintf(&pattern, "%s"PATH_SEPARATOR"*"PATH_SEPARATOR"*", dirname); +- results = tor_glob(pattern); +- tor_free(pattern); +- tt_assert(!results); +- } +-#endif /* !defined(_WIN32) */ +- + #undef TEST + #undef EXPECT + #undef EXPECT_EMPTY diff --git a/repo/util/tor/0003-disable-sandbox_chown_filename-test_patch b/repo/util/tor/0003-disable-sandbox_chown_filename-test_patch new file mode 100644 index 0000000..3140139 --- /dev/null +++ b/repo/util/tor/0003-disable-sandbox_chown_filename-test_patch @@ -0,0 +1,36 @@ +This test fail on armhf, armv7 and aarch64 +--- a/src/test/test_sandbox.c ++++ b/src/test/test_sandbox.c +@@ -193,24 +193,6 @@ test_sandbox_chmod_filename(void *arg) + } + + static void +-test_sandbox_chown_filename(void *arg) +-{ +- sandbox_data_t *data = arg; +- int rc, errsv; +- +- if (chown(sandbox_intern_string(data->file_ops_allowed), -1, -1) != 0) +- tt_abort_perror("chown"); +- +- rc = chown(data->file_ops_blocked, -1, -1); +- errsv = errno; +- tt_int_op(rc, OP_EQ, -1); +- tt_int_op(errsv, OP_EQ, EPERM); +- +- done: +- (void)0; +-} +- +-static void + test_sandbox_rename_filename(void *arg) + { + sandbox_data_t *data = arg; +@@ -327,7 +309,6 @@ struct testcase_t sandbox_tests[] = { + + SANDBOX_TEST_IN_SANDBOX(openat_filename), + SANDBOX_TEST_IN_SANDBOX(chmod_filename), +- SANDBOX_TEST_IN_SANDBOX(chown_filename), + SANDBOX_TEST_IN_SANDBOX(rename_filename), + + /* Currently the sandbox is unable to filter stat() calls on systems where diff --git a/repo/util/tor/0004-disable-more-sandbox-tests_patch b/repo/util/tor/0004-disable-more-sandbox-tests_patch new file mode 100644 index 0000000..7359b23 --- /dev/null +++ b/repo/util/tor/0004-disable-more-sandbox-tests_patch @@ -0,0 +1,120 @@ +These tests fail on aarch64 +--- a/src/test/test_sandbox.c ++++ b/src/test/test_sandbox.c +@@ -148,71 +148,6 @@ test_sandbox_is_active(void *ignored) + } + + static void +-test_sandbox_open_filename(void *arg) +-{ +- sandbox_data_t *data = arg; +- int fd, errsv; +- +- fd = open(sandbox_intern_string(data->file_ops_allowed), O_RDONLY); +- if (fd == -1) +- tt_abort_perror("open"); +- close(fd); +- +- /* It might be nice to use sandbox_intern_string() in the line below as well +- * (and likewise in the test cases that follow) but this would require +- * capturing the warning message it logs, and the mechanism for doing so +- * relies on system calls that are normally blocked by the sandbox and may +- * vary across architectures. */ +- fd = open(data->file_ops_blocked, O_RDONLY); +- errsv = errno; +- tt_int_op(fd, OP_EQ, -1); +- tt_int_op(errsv, OP_EQ, EPERM); +- +- done: +- if (fd >= 0) +- close(fd); +-} +- +-static void +-test_sandbox_chmod_filename(void *arg) +-{ +- sandbox_data_t *data = arg; +- int rc, errsv; +- +- if (chmod(sandbox_intern_string(data->file_ops_allowed), +- S_IRUSR | S_IWUSR) != 0) +- tt_abort_perror("chmod"); +- +- rc = chmod(data->file_ops_blocked, S_IRUSR | S_IWUSR); +- errsv = errno; +- tt_int_op(rc, OP_EQ, -1); +- tt_int_op(errsv, OP_EQ, EPERM); +- +- done: +- (void)0; +-} +- +-static void +-test_sandbox_rename_filename(void *arg) +-{ +- sandbox_data_t *data = arg; +- const char *fname_old = sandbox_intern_string(data->file_ops_allowed), +- *fname_new = sandbox_intern_string(data->file_rename_target_allowed); +- int rc, errsv; +- +- if (rename(fname_old, fname_new) != 0) +- tt_abort_perror("rename"); +- +- rc = rename(fname_new, fname_old); +- errsv = errno; +- tt_int_op(rc, OP_EQ, -1); +- tt_int_op(errsv, OP_EQ, EPERM); +- +- done: +- (void)0; +-} +- +-static void + test_sandbox_openat_filename(void *arg) + { + sandbox_data_t *data = arg; +@@ -235,28 +170,6 @@ test_sandbox_openat_filename(void *arg) + } + + static void +-test_sandbox_opendir_dirname(void *arg) +-{ +- sandbox_data_t *data = arg; +- DIR *dir; +- int errsv; +- +- dir = opendir(sandbox_intern_string(data->dir_ops_allowed)); +- if (dir == NULL) +- tt_abort_perror("opendir"); +- closedir(dir); +- +- dir = opendir(data->dir_ops_blocked); +- errsv = errno; +- tt_ptr_op(dir, OP_EQ, NULL); +- tt_int_op(errsv, OP_EQ, EPERM); +- +- done: +- if (dir) +- closedir(dir); +-} +- +-static void + test_sandbox_stat_filename(void *arg) + { + sandbox_data_t *data = arg; +@@ -302,15 +215,8 @@ struct testcase_t sandbox_tests[] = { + #ifdef ENABLE_FRAGILE_HARDENING + SANDBOX_TEST_SKIPPED(open_filename), + SANDBOX_TEST_SKIPPED(opendir_dirname), +-#else +- SANDBOX_TEST_IN_SANDBOX(open_filename), +- SANDBOX_TEST_IN_SANDBOX(opendir_dirname), + #endif /* defined(ENABLE_FRAGILE_HARDENING) */ + +- SANDBOX_TEST_IN_SANDBOX(openat_filename), +- SANDBOX_TEST_IN_SANDBOX(chmod_filename), +- SANDBOX_TEST_IN_SANDBOX(rename_filename), +- + /* Currently the sandbox is unable to filter stat() calls on systems where + * glibc implements this function using either of the legacy "stat" or "stat64" + * system calls, or (in glibc version 2.33 and later) either of the newer diff --git a/repo/util/tor/tor.confd b/repo/util/tor/tor.confd new file mode 100644 index 0000000..38a482c --- /dev/null +++ b/repo/util/tor/tor.confd @@ -0,0 +1,13 @@ +# Location of the torrc configuration file. +#conffile="/etc/tor/torrc" + +# User to start the tor daemon. +# If "User" directive is set in $conffile, then this option is ignored (i.e. +# tor is started under root, but it setuids to the specified User after start). +#user="tor" + +# Timeout for gracefulstop +#graceful_timeout="60" + +# Set the file limit +rc_ulimit="-n 30000" diff --git a/repo/util/tor/tor.initd b/repo/util/tor/tor.initd new file mode 100644 index 0000000..db8b2cf --- /dev/null +++ b/repo/util/tor/tor.initd @@ -0,0 +1,92 @@ +#!/sbin/openrc-run + +: ${conffile:="/etc/tor/torrc"} +: ${user:="tor"} +: ${graceful_timeout:="${GRACEFUL_TIMEOUT:-60}"} + +command="/usr/bin/tor" +command_args="-f $conffile --runasdaemon 0" +command_background="yes" +start_stop_daemon_args="--chdir /var/lib/tor" +pidfile="/run/tor/tor.pid" + +extra_commands="checkconfig" +extra_started_commands="gracefulstop reload" + +description="Anonymizing overlay network for TCP" +description_checkconfig="Check if config file is valid." +description_reload="Reload the configuration." +# See bug #523552, and https://trac.torproject.org/projects/tor/ticket/5525 +description_gracefulstop="Gracefully stop (wait $gracefulstop until all connections are properly closed)." + + +depend() { + need net +} + +checkconfig() { + # First check that it exists. + if [ ! -f "$conffile" ] ; then + eerror "You need to setup $conffile first, see $conffile.sample for example" + return 1 + fi + + # Now verify whether the configuration is valid. + # If User directive is set in $conffile, then we must run tor as root, + # even --verify-config, otherwise it fails when verifying permissions + # of DataDirectory. + if conf_has User; then + local user="root" + fi + local out + out="$(su -s /bin/sh -c "$command $command_args --verify-config" $user 2>&1)" || { + eerror "Tor configuration $conffile is not valid" + printf '%s\n' "$out" + return 1 + } +} + +start_pre() { + checkconfig || return 1 + + # If User directive is set in $conffile, start tor as root and let it + # drop privileges itself (may be needed e.g. to bind to a privileged + # port). Otherwise run tor as $user (recommended). + if conf_has User; then + local user="$(conf_get User)" + else + start_stop_daemon_args="$start_stop_daemon_args --user $user" + fi + + if conf_has DataDirectory; then + checkpath -d -m 0700 -o "$user" "$(conf_get DataDirectory)" + fi + checkpath -d -m 0755 -o "$user" "$(dirname "$pidfile")" +} + +gracefulstop() { + ebegin "Gracefully stopping Tor, this can take up to $graceful_timeout seconds" + start-stop-daemon --stop \ + --progress \ + --signal INT \ + --retry $graceful_timeout \ + --pidfile "$pidfile" \ + --exec $command -- $command_args + eend $? +} + +reload() { + start_pre || return 1 + + ebegin "Reloading Tor configuration" + start-stop-daemon --signal HUP --pidfile "$pidfile" + eend $? +} + +conf_get() { + sed -n "s/^\s*$1 \([^#]*\)/\1/p" "$conffile" +} + +conf_has() { + grep -q "^\s*$1 " "$conffile" +} diff --git a/repo/util/tor/tor.xibuild b/repo/util/tor/tor.xibuild new file mode 100644 index 0000000..92b719d --- /dev/null +++ b/repo/util/tor/tor.xibuild @@ -0,0 +1,44 @@ +#!/bin/sh + +NAME="tor" +DESC="Anonymous network connectivity" + +MAKEDEPS="make " +DEPS="libcap libseccomp libevent openssl cacerts zlib xz zstd " + +PKG_VER=0.4.7.7 +SOURCE="https://www.torproject.org/dist/tor-$PKG_VER.tar.gz" +ADDITIONAL="torrc.sample.patch tor.initd tor.confd" + +prepare () { + apply_patches +} + +build () { + ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --mandir=/usr/share/man \ + --disable-html-manual + make + +} + +package () { + make DESTDIR="$PKG_DEST" install + + install -dm0755 -o "tor" \ + "$PKG_DEST"/var/lib/"tor" \ + "$PKG_DEST"/var/log/"tor" + + install -Dm0755 "tor".initd \ + "$PKG_DEST"/etc/init.d/"tor" + install -Dm0644 "tor".confd \ + "$PKG_DEST"/etc/conf.d/"tor" +} + +postinstall () { + adduser -S -D -H -h /var/lib/tor -s /sbin/nologin -g tor tor 2>/dev/null + exit 0 +} diff --git a/repo/util/tor/torrc.sample.patch b/repo/util/tor/torrc.sample.patch new file mode 100644 index 0000000..3360e98 --- /dev/null +++ b/repo/util/tor/torrc.sample.patch @@ -0,0 +1,27 @@ +--- a/src/config/torrc.sample.in ++++ b/src/config/torrc.sample.in +@@ -35,7 +35,7 @@ + ## may provide sensitive information to an attacker who obtains the logs. + ## + ## Send all messages of level 'notice' or higher to @LOCALSTATEDIR@/log/tor/notices.log +-#Log notice file @LOCALSTATEDIR@/log/tor/notices.log ++Log notice file @LOCALSTATEDIR@/log/tor/notices.log + ## Send every possible message to @LOCALSTATEDIR@/log/tor/debug.log + #Log debug file @LOCALSTATEDIR@/log/tor/debug.log + ## Use the system log instead of Tor's logfiles +@@ -43,14 +43,9 @@ + ## To send all messages to stderr: + #Log debug stderr + +-## Uncomment this to start the process in the background... or use +-## --runasdaemon 1 on the command line. This is ignored on Windows; +-## see the FAQ entry if you want Tor to run as an NT service. +-#RunAsDaemon 1 +- + ## The directory for keeping all the keys/etc. By default, we store + ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +-#DataDirectory @LOCALSTATEDIR@/lib/tor ++DataDirectory @LOCALSTATEDIR@/lib/tor + + ## The port on which Tor will listen for local connections from Tor + ## controller applications, as documented in control-spec.txt. diff --git a/repo/x11/xss-lock/xss-lock.xibuild b/repo/x11/xss-lock/xss-lock.xibuild new file mode 100644 index 0000000..5320bed --- /dev/null +++ b/repo/x11/xss-lock/xss-lock.xibuild @@ -0,0 +1,23 @@ +#!/bin/sh + +NAME="xss-lock" +DESC="Use external locker as X screen saver" + +MAKEDEPS="cmake " +DEPS="glib xcb-util " + +PKG_VER=0.3.0 +SOURCE="https://bitbucket.org/raymonad/xss-lock/get/v$PKG_VER.tar.gz" + +build () { + cmake -B build \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_INSTALL_LIBDIR=/usr/lib \ + -DBUILD_SHARED_LIBS=True \ + -DBUILD_STATIC_LIBS=OFF + cmake --build build +} + +package () { + DESTDIR="$PKG_DEST" cmake --install build +} -- cgit v1.2.1